\subsection{Traps}\label{subsec:traps}
Transitions from VMX non-root operation to VMX root operation are called VM
exits (\cite{IntelSDM}, volume 3C, section 23.3). Because processor behavior in
VMX non-root mode is restricted, reasons for VM exits can be the execution of a
privileged operation or an instruction that has been constrained by the
appropriate VMX controls.

The Muen kernel uses the term trap to describe a VM exit. The system policy
allows the specification of a per-subject trap table, which defines what action
to take when a trap occurs. Listing \ref{lst:trap-table} shows an example trap
table.

\lstinputlisting[
	language=xml,
	label=lst:trap-table,
	caption=Subject trap table]
	{lst_trap_table}

This single trap table entry defines that all configurable traps should result
in an execution handover to a subject called \emph{sm} (Subject
Monitor\index{SM}). Additionally, an interrupt with vector 36 should be
injected into the handler subject on handover. Because a trap handler subject
performs operations in place of the causing subject, a trap always results in a
handover (i.e. the trapping subject is removed from the scheduling plan and
replaced by the destination subject).

Valid trap kinds are the VMX basic exit reasons defined by Intel, see Intel SDM
\cite{IntelSDM}, volume 3C, appendix C. Four exit reasons or trap kinds are
excluded from the list of configurable traps because they are reserved for
internal use by the Muen kernel.

\begin{itemize}
	\item \emph{External interrupt} (reason 1)\\
		The external interrupt trap is used to implement external interrupt
		delivery to subjects as explained in section \ref{subsec:external-ints}.
	\item \emph{Interrupt window} (reason 7)\\
		The interrupt window trap is used by the Muen kernel to optimize the
		latency of interrupt injection.
	\item \emph{VMCALL} (reason 18)\\
		Used in the event mechanism to provide the hypercall mechanism, see
		section \ref{subsec:events} for more details.
	\item \emph{VMX-preemption timer expired} (reason 52)\\
		Used by the kernel scheduler to preempt subjects
		(\ref{subsec:scheduling}).
\end{itemize}

If one of the reserved traps occurs, the kernel invokes the appropriate handler
procedure. All other trap kinds can be used to configure subject trap table
entries. When a configured trap happens, the kernel consults the static trap
table of the subject to check its validity. If it is sane, a handover is
performed to the destination subject.  Listing \ref{lst:trap-table-spec} shows
an example trap table specification generated by the \texttt{skpolicy} tool.

\begin{lstlisting}[language=Ada, label=lst:trap-table-spec, caption=Trap table specification]
Trap_Table => Trap_Table_Type'(
  0      => Trap_Entry_Type'(Dst_Subject => 2, Dst_Vector => 256),
  48     => Trap_Entry_Type'(Dst_Subject => 2, Dst_Vector => 12),
  others => Null_Trap),
\end{lstlisting}

Subject with ID two is used as handler for trap kinds "exception or
NMI\index{NMI}" (0) and "EPT violation" (48). All other traps are invalid for
this subject.

The trap mechanism is most commonly used to implement a "trap and emulate"
functionality: A subject executes a privileged operation resulting in a trap.
The subject's trap table defines which handler subject is responsible for
processing the trap. The handover is performed by the kernel and the trap
handler subject emulates the privileged operation by directly modifying the
trapping subject's memory or architectural state. After the operation is
complete, the handler subject resumes execution of the subject which caused the
trap by using a handover event as described in section \ref{subsec:events}.
